I have a Mac server that I can join clients to using System Preferences -> Users and Groups -> Login Options -> Network Account Server. However, I'd like to do this remotely without having to touch every Mac. I have a local user on each machine that can sudo to root. How can I join the Network Account Server via the shell?

I've seen dsconfigad, but on a machine joined to my account server it doesn't show anything when I do dsconfigad -show, which implies that's the wrong command for me.

1 Answer
1

dsconfigad is for connecting to Active Directory domains; for Open Directory domains, you need to use dsconfigldap (which configures the LDAPv3 connector) instead. Basic usage is pretty simple:

sudo dsconfigldap -a odserver.domain.com

If you're going authenticated binding, you'll need to add flags to give the OD admin credentials, computer name, etc; see man dsconfigldap. If the server is also running 10.7, you'll be prompted for whether to trust its certificates; I haven't experimented with how to handle this in a script yet.

If the client is running 10.6 or older, there are some additional steps to set up the search policies and kerberos config (this is handled for you by 10.7's dsconfigldap):

Ok. Can I ask dsconfigldap if I'm already connected to a given domain? I'm looking at the dsconfigldap -h output and not seeing it.
–
Bill WeissMay 16 '12 at 14:29

1

I don't see a way to do that with dsconfigldap (it doesn't have an option like dsconfigad -show), but dscl localhost -ls /LDAPv3 will list the server(s) you're bound to. Warning: you might be bound by the server's hostname or IP, or to a replica (if you have any), so detecting a specific domain is nontrivial.
–
Gordon DavissonMay 16 '12 at 18:58

Aha, that's it. In our case it's easy, we just have one name for the thing.
–
Bill WeissMay 16 '12 at 19:14